WebCalendar < 1.0.1 send_reminders.php includedir Parameter Remote File Inclusion
High Nessus Network Monitor Plugin ID 3182
SynopsisThe remote host is vulnerable to a script injection attack.
DescriptionThe remote version of WebCalendar fails to sanitize user-supplied input to the 'includedir' parameter of the 'send_reminders.php' script. By leveraging this flaw, an attacker may be able to view arbitrary files on the remote host and execute arbitrary PHP code, possibly taken from third-party hosts.
SolutionUpgrade to version 1.0.1 or higher.